Security concern related to port openings for Let's Encrypt

Currently reading
Security concern related to port openings for Let's Encrypt

53
4
NAS
DS1522+, E10G22-T1-Mini RJ45 10G Ethernet Module
Hello,

I set up DSM. I only use the NAS locally. No plan to access it from outside home network but need to update software and firmware when available. I want to use Synology Photos, Apple's Touch ID as 2FA, Synology Drive an Active Backup for Business. However, these apps seem to require me to create a domain name and generate a certificate. Then, get it authenticated by Let's Encrypt. It seems that to do that, I have to open ports on my router which some users said could create a security risk.

I expressed my concern and Synology told me that:

"These applications do not require a connection certificate. Connection certificates are only required if you want to connect securely. Otherwise, the connection will be unencrypted."

1. Is it better to have encrypted connections even all the devices are from home network?

I asked them if there is another way to get around this as opening ports creates a security risk and somebody mentioned Tailscale.

They replied:

"Yes, this is only if you connect with the Synology DDNS. Otherwise, you can use the Quickconnect relay service. This does not require port forwarding. You will still connect securely; our Synology Apps are designed to connect with this service.

What are the differences between QuickConnect and DDNS? - Synology Knowledge Center
"

2. Does that mean he suggested using Quickconnect which many people advised against enabling especially for those who do not want/need to make the NAS visible to the internet?

3. In my case, what is the best way to do if I want to use the apps and feature I mentioned? What is the risk for opening ports for a few minutes?
 
No plan to access it from outside home network but need to update software and firmware when available.
In that case you need neither DDNS nor QuickConnect, You are fine as is.
apps seem to require me to create a domain name and generate a certificate.
Not an Apple user, but generally that is incorrect. Did you try?
 
However, these apps seem to require me to create a domain name and generate a certificate
What support said stands, but in case of using Apple Touch ID and 2fa access using the Secure SignIn app that supports it, you will have to configure it using a valid https accesible domain name. That means you will not be able to "host" it over http even if its just for internal usage. The wizard will warn you when you try and configure it.

Screenshot-2020-11-29-at-07.09.44.png



What is the risk for opening ports for a few minutes?
Being exposed is always risky unless you follow certain rules, and even then you have to be on top of things in terms of patches, security hardening.

Best to follow the security sheet and make sure all elements are closed and set as best as possible.

 
Thanks for the security sheet.

After getting the certificate approved by Let's Encrypt, if I disable QuickConnect, will I stop the NAS from being exposed or it has already left some traces on the internet?
 
Thanks for the security sheet.

After getting the certificate approved by Let's Encrypt, if I disable QuickConnect, will I stop the NAS from being exposed or it has already left some traces on the internet?
As long as its not accessible, nobody will be able to connect to it anyways.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,077
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
625
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
489
  • Question
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,250
Why sad Mr. T? I’ve learned much in past 5 years, but last 2…. It’s like someone stepped on the gas! I...
Replies
1
Views
945
I'm not familiar with the router hardware and I don't use OpenWRT but I have seen it enough to trigger a...
Replies
11
Views
3,238

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top